- Address SonarCloud Issues

- Used IAM in apigw method authorization for now until authorizer has been setup
bcgov · Nov 13, 2024 · fca25b7 · fca25b7
1 parent 50fa6f9
commit fca25b7
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 11 deletions.
diff --git a/infrastructure/cloud/environments/dev/webapp.tf b/infrastructure/cloud/environments/dev/webapp.tf
@@ -133,12 +133,13 @@ module "lambda" {
 
 # Create API Gateway
 module "apigw" {
-  source           = "../../modules/APIGateway"
-  environment      = var.environment
-  app_name         = var.app_name
-  region           = var.region
-  account_id       = data.aws_caller_identity.current.account_id
-  lambda_functions = module.lambda.lambda_functions
+  source                 = "../../modules/APIGateway"
+  environment            = var.environment
+  app_name               = var.app_name
+  region                 = var.region
+  account_id             = data.aws_caller_identity.current.account_id
+  lambda_functions       = module.lambda.lambda_functions
+  ecs_execution_role_arn = module.iam.ecs_execution_role_arn
 }
 
 # Create ECS Cluster

diff --git a/infrastructure/cloud/modules/APIGateway/main.tf b/infrastructure/cloud/modules/APIGateway/main.tf
@@ -22,7 +22,7 @@ resource "aws_api_gateway_rest_api_policy" "apigw_rest_api_policy" {
     Statement = [
       {
         Effect    = "Allow"
-        Principal = "*"
+        Principal = var.ecs_execution_role_arn
         Action    = "execute-api:Invoke"
         Resource  = "arn:aws:execute-api:${var.region}:${var.account_id}:${aws_api_gateway_rest_api.apigw.id}/*"
       }
@@ -63,7 +63,7 @@ resource "aws_api_gateway_method" "get_locations_method" {
   rest_api_id      = aws_api_gateway_rest_api.apigw.id
   resource_id      = aws_api_gateway_resource.locations_resource.id
   http_method      = var.lambda_functions["get-locations"].http_method
-  authorization    = "NONE"
+  authorization    = "AWS_IAM"
   api_key_required = true
 
   request_parameters = {
@@ -92,7 +92,7 @@ resource "aws_api_gateway_method" "get_locations_rooms_method" {
   rest_api_id      = aws_api_gateway_rest_api.apigw.id
   resource_id      = aws_api_gateway_resource.rooms_resource.id
   http_method      = var.lambda_functions["get-rooms"].http_method
-  authorization    = "NONE"
+  authorization    = "AWS_IAM"
   api_key_required = true
 
   request_parameters = {
@@ -130,7 +130,7 @@ resource "aws_api_gateway_method" "get_files_civil_method" {
   rest_api_id      = aws_api_gateway_rest_api.apigw.id
   resource_id      = aws_api_gateway_resource.civil_resource.id
   http_method      = var.lambda_functions["search-civil-files"].http_method
-  authorization    = "NONE"
+  authorization    = "AWS_IAM"
   api_key_required = true
 }
 
@@ -155,7 +155,7 @@ resource "aws_api_gateway_method" "get_files_criminal_method" {
   rest_api_id      = aws_api_gateway_rest_api.apigw.id
   resource_id      = aws_api_gateway_resource.criminal_resource.id
   http_method      = var.lambda_functions["search-criminal-files"].http_method
-  authorization    = "NONE"
+  authorization    = "AWS_IAM"
   api_key_required = true
 }
 

diff --git a/infrastructure/cloud/modules/APIGateway/variables.tf b/infrastructure/cloud/modules/APIGateway/variables.tf
@@ -26,3 +26,8 @@ variable "lambda_functions" {
     invoke_arn    = string
   }))
 }
+
+variable "ecs_execution_role_arn" {
+  description = "The ECS Task Definition Execution role ARN"
+  type        = string
+}